Security by obscurity
Perhaps many readers would doubt if the Hackers would be able to achieve such a coup if Sony were using IBM i to serve their customer data.
The IBM i is renowned as one of the most stable, reliable and secure platforms available for commercial and administrative ICT. It is well known that no virus has yet been able to attack and disable a System i.
I often discuss the security of i with my clients and I am still surprised that most customers are much more concerned with securing their Windows infrastructure than the i. Why should I be surprised at this when everyone understands that most attacks take place on Windows, Unix or Linux based systems and that the i is protected by its obscurity? There are thousands of hacking sites which share information on how to break into or damage Windows or ‘open’ systems but what about the i. Almost all ICT students leave University and college with a great knowledge of Windows –thanks to Microsoft’s marketing strategy- Unix and Linux, but hardly any have even heard of i -thanks to IBMs marketing strategy. Surely knowledge of this system is becoming so scarce that the chances are so small one can afford to be laconic about securing the i. Really this scarcity of i knowledge is the biggest threat to these systems. How can an i be properly secure if no-one knows how to secure it?
Laconic
Is it fair to say that i users are laconic about the security of their system? Surely a user id and password which gives access to a managed user environment will be enough? If an i is behind a firewall then isn’t it safe? Some companies, like banks for instance have to take the security of their i just as seriously as the rest. Any company falling under the eye of SOX, Basel II etc will have to do the same. What does that mean to these companies? An auditor needs to be satisfied! Priority one – pass the audit! Is you I then guaranteed to be secure? It depends very much on the auditor and his ‘toolbox’ if he is able to detect all potential weak points in the system. But what did we say earlier about the scarcity of knowledge?
Tools
There are security tools on the market which can help to secure your i. Some of them can help you make you system watertight but they do require an understanding and knowledge of System i security in order to configure them properly. System i is very often the platform for legacy applications. Systems so long in use, they have been ported, patched and repaired sometimes for more than 20 years that properly securing these legacy applications can make it impossible to use them. So we make compromises which of course weaken the security.
Legacy
Because the i is the platform often running legacy applications it does mean that it holds important information. HR, financial and CRM applications hold data which you would rather not leave open to misuse.
Hacking
First let’s destroy a couple of myths.
1. The i cannot be attacked by a virus. At first sight, and fortunately this is true. The unique architecture of the i operating system makes it (almost) impossible to propagate malicious software which can harm the system. But what is less well known is that because very few users scan for viruses on their i, the IFS (Integrated File System) on the i can be an ideal place to store and distribute virus software where it can remain undetected for years. Any company using the IFS to store data (and programs) used in a windows (etc) environment will do well to scan the system regularly. And while we are talking about the IFS, maybe you should look at the security settings of yours. An incorrectly secured IFS will give any user who has access to the root, access to all objects including data files on the System i!!
2. It takes an i-expert to hack the i. When the AS400 was first delivered it was a ‘proprietary system’. Not being an open system it was secure by definition. Access was by ‘dumb terminal’ (OK I am going way back there) and networking was organized by inherently secure technologies such as SNA. But the growth and acceptance of Open systems, IP and the Internet required the AS400 also to be made more open. Being more open to the pervasive technology has of course made the i more open to unwelcome guests. So a more general knowledge of IP is all that is needed to look for weaknesses in the i’s defenses. And once the hacker has found a weakness, he can use a number of techniques to access the data via FTP, SQL, ODBC, the IFS, and many more. He can use SNMPWALK to scan the system and gain valuable information to further his encroachment into the system. He can use QSHELL and PASE to dig around. He can also use information spread on the existing hacking sites to aid and assist his hacking in the ‘native’ environment.
What to do?
It is time to take the security of your i more seriously. Even companies not falling under international regulations such as SOX should take care, a HR application often contains sensitive personal information on employees which if breached can not only cause great inconvenience to the individuals concerned but will soon (with the strengthening of the WBP) force the victim of the hack to disclose the leak to the authorities and the public which will seriously damage the reputation of said company. Do an extensive security scan of your i, preferably by an expert. Then remediate any risk areas that are uncovered. Repeat the scan and remediation at regular intervals. This can be done manually or it can be automated. If all this sounds too labour intensive and expensive? Consider the alternatives; do you really want to be front page news?
For more details on your IBM i Security please contact info@srcsecuresolutions.eu
Is it fair to say that i users are laconic about the security of their system? Surely a user id and password which gives access to a managed user environment will be enough? If an i is behind a firewall then isn’t it safe? Some companies, like banks for instance have to take the security of their i just as seriously as the rest. Any company falling under the eye of SOX, Basel II etc will have to do the same. What does that mean to these companies? An auditor needs to be satisfied! Priority one – pass the audit! Is you I then guaranteed to be secure? It depends very much on the auditor and his ‘toolbox’ if he is able to detect all potential weak points in the system. But what did we say earlier about the scarcity of knowledge?